How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Which agent frameworks does ctf-malware support?

ctf-malware works with any agent framework supported by the Skills registry, including Claude Code, Cursor, GitHub Copilot, Cline, Codex, and Gemini CLI.

Is ctf-malware free to use?

Yes. ctf-malware is free to install and use. It is available from the open explainx.ai skill registry published by ljagiello.

Where can I read ratings and reviews for ctf-malware?

Community ratings and review text appear on this explainx.ai skill page below the description. Reviews use a 1–5 scale and may include short written feedback from signed-in members.

How do I install ctf-malware?

Run `npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware` in your terminal. You need to have run `npx skills init` once in your project first.

Productivity

ctf-malware▌

ljagiello/ctf-skills · updated Apr 8, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware

0 commentsdiscussion

summary

Malware analysis and network traffic techniques for CTF challenges.

›Covers script deobfuscation (JavaScript, PowerShell, base64/hex decoding), YARA rule writing, shellcode analysis with Unicorn Engine and Capstone, and memory forensics using Volatility 3 (malfind, process injection detection)
›Includes PE and .NET binary analysis (peframe, dnSpy, AsmResolver), malware configuration extraction, and sandbox evasion detection (VM detection, timing checks, API hashing)
›Provides C2 traffic

skill.md

CTF Malware & Network Analysis

Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code.

Prerequisites

Python packages (all platforms):

pip install yara-python pefile capstone oletools unicorn pycryptodome \
  volatility3 dissect.cobaltstrike

Linux (apt):

apt install strace ltrace tshark binwalk binutils

macOS (Homebrew):

brew install wireshark binwalk binutils ghidra

Manual install:

dnSpy — GitHub, .NET decompiler (Windows)

Additional Resources

scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis, dynamic analysis techniques (strace/ltrace, network monitoring, memory string extraction, automated sandbox execution), YARA rules for malware detection, shellcode analysis (Unicorn Engine, Capstone), memory forensics for malware (Volatility 3 malfind, process injection detection), anti-analysis techniques (VM detection, timing evasion, API hashing, process injection), trojanized plugin analysis with custom alphabet C2 decoding
c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery, Poison Ivy RAT Camellia decryption
pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor

When to Pivot

If the sample is really just a normal crackme, packed challenge binary, or custom VM with no malware behavior, switch to /ctf-reverse.
If the main job is network reconstruction, disk carving, or host artifact recovery, switch to /ctf-forensics.
If the challenge turns into public attribution or infrastructure tracing, switch to /ctf-osint.

Quick Start Commands

# Static analysis
file suspicious_file
strings -n 8 suspicious_file | head -50
xxd suspicious_file | head -20

# PE analysis
python3 -c "import pefile; pe=pefile.PE('mal.exe'); print(pe.dump_info())" | head
peframe mal.exe

# Dynamic analysis (sandboxed!)
strace -f -s 200 ./suspicious 2>&1 | head -100
ltrace ./suspicious 2>&1 | head -50

# Network indicators
strings suspicious_file | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
strings suspicious_file | grep -iE 'http|ftp|ws://'

# YARA scan
yara -r rules.yar suspicious_file

Obfuscated Scripts

Replace eval/bash with echo to print underlying code; extract base64/hex blobs and analyze with file. See scripts-and-obfuscation.md.

JavaScript & PowerShell Deobfuscation

JS: Replace eval with console.log, decode unescape(), atob(), String.fromCharCode().
PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md.

Junk Code Detection

NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md.

PCAP & Network Analysis

tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload

Look for C2 on unusual ports. Extract IPs/domains with strings | grep. See c2-and-protocols.md.

Custom Crypto Protocols

Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically.
ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md.

C2 Traffic Patterns

Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md.

RC4-Encrypted WebSocket C2

Remap port with tcprewrite, add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md.

Identifying Encryption Algorithms

AES: 0x637c777b S-box; ChaCha20: expand 32-byte k; TEA/XTEA: 0x9E3779B9; RC4: sequential S-box init. See c2-and-protocols.md.

AES-CBC in Malware

Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md.

PE Analysis

peframe malware.exe      # Quick triage
pe-sieve                 # Runtime analysis
pestudio                 # Static analysis (Windows)

See pe-and-dotnet.md.

.NET Malware Analysis

Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md.

Malware Configuration Extraction

Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md.

Sandbox Evasion Checks

VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md.

Anti-Analysis Techniques

VM detection (CPUID, MAC prefix, registry, disk size), timing evasion (sleep/RDTSC sandbox detection), API hashing (ROR13/DJB2/CRC32 + hashdb lookup), process injection (hollowing, APC, CreateRemoteThread), environment checks. See scripts-and-obfuscation.md.

Trojanized Plugin Analysis

Diff malicious plugin against official release to find injected code in try/except blocks. Custom alphabet rotation (C[(C.index(ch) - offset) % len(C)]) decodes C2 domain, XOR decodes endpoint path. See scripts-and-obfuscation.md.

PyInstaller + PyArmor Unpacking

pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md.

Telegram Bot Evidence Recovery

Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md.

Debian Package Analysis

ar -x package.deb && tar -xf control.tar.xz  # Check postinst scripts

See scripts-and-obfuscation.md.

YARA Rules for Malware Detection

Write YARA rules to match byte patterns, strings, and regex against files or memory dumps. Detect XOR loops ({31 ?? 80 ?? ?? 4? 75}), base64 blobs, encoded PowerShell. Use yarac to compile for faster scanning. See scripts-and-obfuscation.md.

Shellcode Analysis

Disassemble with objdump -b binary -m i386:x86-64, emulate with Unicorn Engine (hook syscalls safely), or use Capstone for programmatic disassembly. Look for XOR decoder stubs. See scripts-and-obfuscation.md.

Memory Forensics for Malware

vol3 windows.malfind detects injected code (PAGE_EXECUTE_READWRITE without mapped file). windows.pstree reveals suspicious parent-child relationships. YARA scan memory with yarascan.YaraScan. See scripts-and-obfuscation.md.

Network Indicators Quick Reference

strings malware | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u

how to use ctf-malware

How to use ctf-malware on Cursor

AI-first code editor with Composer

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

›Cursor installed and configured on your development machine
›Node.js version 16.0+ with npm package manager (verify with node --version)
›Active project directory or workspace where you want to add ctf-malware

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills add https://github.com/ljagiello/ctf-skills --skill ctf-malware

The skills CLI fetches ctf-malware from GitHub repository ljagiello/ctf-skills and configures it for Cursor.

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?

│

│ ── Universal (.agents/skills) ── always included ────

│ • Amp

│ • Antigravity

│ • Cline

│ • Codex

│ ●Cursor(selected)

│ • Cursor

│ • Windsurf

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/ctf-malware

Reload or restart Cursor to activate ctf-malware. Access the skill through slash commands (e.g., /ctf-malware) or your agent's skill management interface.

⚠

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

›View source code on GitHub ›Skills CLI documentation ›Learn more about Cursor ›What are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases▌

User Story & Requirements Generation

Create detailed user stories, acceptance criteria, and feature specs

Example

Generate user stories for 'password reset feature' with acceptance criteria, edge cases, and test scenarios

✓

Reduce spec writing time by 50%, ensure comprehensive coverage

Competitive Analysis

Research competitors, compare features, identify gaps

Example

Analyze 5 competitor products, create feature comparison matrix, suggest differentiation opportunities

✓

Complete competitive research in 2 hours instead of 2 days

Roadmap Prioritization

Evaluate features using frameworks (RICE, ICE, Kano) and create prioritized backlogs

Example

Score 20 feature ideas using RICE framework, generate prioritized roadmap with rationale

✓

Make data-driven prioritization decisions faster

Stakeholder Communication

Draft PRDs, status updates, and stakeholder presentations

Example

Create executive summary of Q3 roadmap, monthly progress report, feature launch announcement

✓

Save 3-5 hours/week on communication overhead

Implementation Guide▌

Prerequisites

›Claude Desktop or compatible AI client
›Access to product documentation and roadmap tools (Jira, Notion, etc.)
›Understanding of product management frameworks (RICE, Jobs-to-be-Done, etc.)
›Stakeholder contact information and communication channels

Time Estimate

30-60 minutes to see productivity improvements

Installation Steps

1.Install product management skill
2.Start with user story generation for known feature
3.Progress to competitive analysis: research 2-3 competitors
4.Use for roadmap prioritization: apply RICE/ICE scoring
5.Draft stakeholder communications and refine based on feedback
6.Build template library for recurring PM tasks
7.Share effective prompts with product team

Common Pitfalls

⚠Not validating competitive research—verify facts before sharing
⚠Accepting user stories without involving engineering team
⚠Over-relying on frameworks without qualitative judgment
⚠Not customizing outputs to company culture and communication style
⚠Skipping stakeholder validation of generated requirements

Best Practices▌

✓ Do

+Validate research and competitive analysis with real data
+Collaborate with engineering when generating technical requirements
+Customize frameworks and templates to your company context
+Use skill for first drafts, refine with stakeholder input
+Document successful prompt patterns for PM tasks
+Combine AI efficiency with human judgment and intuition

✗ Don't

−Don't publish competitive analysis without fact-checking
−Don't finalize user stories without engineering review
−Don't make prioritization decisions solely on AI scoring
−Don't skip customer validation of generated requirements
−Don't ignore company-specific context and culture

💡 Pro Tips

★Provide context: company goals, constraints, customer feedback
★Ask for alternatives: 'Show 3 ways to prioritize this roadmap'
★Request stakeholder-specific formatting: 'Executive summary vs. engineering spec'
★Use skill for 70% generation + 30% customization to company needs

When to Use This▌

✓ Use When

Use for user story writing, competitive research, roadmap prioritization, stakeholder communication, and PRD drafting. Best for reducing repetitive documentation and research work.

✗ Avoid When

Avoid for strategic product vision (requires deep customer empathy), pricing decisions (needs market and financial expertise), or when face-to-face customer discovery is more valuable than speed.

Learning Path▌

1Basic: user stories, feature specs, status updates
2Intermediate: competitive analysis, prioritization frameworks, PRDs
3Advanced: product strategy, go-to-market planning, OKR setting
4Expert: product vision, market positioning, business model innovation

Discussion

Product Hunt–style comments (not star reviews)

No comments yet — start the thread.

general reviews

Ratings

4.7★★★★★49 reviews

★★★★★Yash Thakker· Dec 28, 2024
Registry listing for ctf-malware matched our evaluation — installs cleanly and behaves as described in the markdown.
★★★★★Nikhil Sharma· Dec 20, 2024
I recommend ctf-malware for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
★★★★★Harper Patel· Dec 12, 2024
We added ctf-malware from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Aarav Chen· Dec 8, 2024
ctf-malware fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
★★★★★Kofi Desai· Dec 8, 2024
Solid pick for teams standardizing on skills: ctf-malware is focused, and the summary matches what you get after install.
★★★★★Nikhil Reddy· Nov 27, 2024
We added ctf-malware from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
★★★★★Michael Abbas· Nov 27, 2024
ctf-malware is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
★★★★★Dhruvi Jain· Nov 19, 2024
ctf-malware reduced setup friction for our internal harness; good balance of opinion and flexibility.
★★★★★Aarav Yang· Nov 15, 2024
Useful defaults in ctf-malware — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
★★★★★Kiara Smith· Nov 11, 2024
Keeps context tight: ctf-malware is the kind of skill you can hand to a new teammate without a long onboarding doc.

showing 1-10 of 49

1 / 5